Safety switching device and method for failsafe shutdown of an electric load

ABSTRACT

The invention relates to a safety switching device for the failsafe shutdown of an electric load, such as an electrically driven machine. The safety switching device has a signal processing part for receiving and evaluating an input-side switching signal, which, for example, originates from an emergency stop switch. It also has at least one switching element which, controlled by the signal processing part, provides an output-side switching signal for shutting down the load. An anti-surge element is provided for canceling reaction voltage spikes when the load is shut down. The anti-surge element has at least a first and a second anti-surge operating mode, which can be activated as an alternative to one another.

CROSS-REFERENCES TO RELATED APPLICATIONS

The present application is a continuation of co-pending internationalpatent application PCT/EP2004/004352, filed on Apr. 24, 2004 andpublished as WO 2004/105067 A1 in German language, which internationalapplication claims priority under the Paris convention from Germanpatent application 103 25 363.7, filed on May 23, 2003.

BACKGROUND OF THE INVENTION

The present invention relates to a safety switching device and a methodfor the failsafe shutdown of an electric load, in particular forshutting down an electrically driven machine. The invention particularlyrelates to a safety switching device and a method for the failsafeshutdown of an inductive load that causes overvoltage spikes when beingshut down.

Safety switching devices in terms of the present invention are providedfor controlling technical systems and devices in a failsafe manner, andin particular shutting them down in a failsafe manner, if required, inorder to prevent, for example, a risk to operating personnel. “Failsafe”in this case means that the successful shutdown operation needs to beensured even when a fault occurs in the safety switching device or inits environment, for example when a component of the safety switchingdevice fails. Therefore, prior art safety switching devices aregenerally of a redundant design and, in numerous countries, they requirespecial approval from a competent supervisory authority. With regard tothe present invention, safety switching devices are those which at leastmeet Category 3 of the European Standard EN 954-1 or a comparable safetystandard, and also those which are specifically envisaged for acorresponding safety-critical application. In this regard, however, theinvention is not restricted to safety switching devices in the narrowersense, but it also comprises safety controllers and field bus-basedsafety systems, which implement the functionality of a safety switchingdevice of the type to be described in more detail below in addition topossibly complex control tasks.

The signal processing part of the safety switching device serves thepurpose of receiving and evaluating an input-side switching signal,which is produced in the case of conventional applications, for example,by an emergency stop button, a guard door, a light barrier arrangement,two-handed control switches or other safety transmitters. The signalprocessing part evaluates the switching signal in a failsafe manner and,on the basis thereof, controls at least one, but generally two or more,output-side switching elements. The output signal of the switchingelements is fed to one or more actuators, such as contactors, via whoseworking contacts the current is supplied to a monitored machine.Furthermore, solenoid valves, which are part of a hydraulic drive, areoften also switched on and off using known safety switching devices.

Contactors, solenoid valves and similar actuators have in common thatthey represent an inductive load for the safety switching device. Thismeans that, during shutdown, an overvoltage spike occurs, whose levelcan substantially exceed the normal operating voltage. Therefore, theoutputs of prior art safety switching devices generally have ananti-surge element, often what is called an anti-surge diode, which isconnected back-to-back in parallel with the input coil of the contactoror solenoid valve. A safety switching device having such an anti-surgediode is known, for example, from DE 199 54 460 A1. In addition, safetyswitching devices having an anti-surge diode are marketed by the presentassignee under the brand name PNOZ®.

However, the anti-surge elements in the known safety switching deviceshave two principal disadvantages which may be significant to differingextents depending on the practical implementation. A first disadvantageconsists in the fact that the current through the contactor coil decaysmore slowly during shutdown, which delays the shutdown operation. Asecond disadvantage is undesirable introduction of heat into the safetyswitching device, which is produced, in particular, by the signalprocessing part needing to switch the output-side switching elements offand on again frequently for test purposes. The voltage spike whichoccurs during disconnection is canceled via the anti-surge elementarranged in the safety switching device, and the energy stored in thecontactor coil is converted into a resistive power loss within thesafety switching device.

SUMMARY OF THE INVENTION

Against this background, it is an object of the present invention toprovide a safety switching device and a method, which allow a reductionof heat introduced into the safety switching device.

According to one aspect of the invention, there is provided a safetyswitching device for failsafe shutdown of an electric load, the safetyswitching device comprising a signal processing part for receiving andevaluating an input-side switching signal, at least one switchingelement adapted to provide an output-side switching signal for shuttingdown the load, the at least one switching element being controlled bythe signal processing part, and at least one anti-surge element forcanceling voltage spikes when the load is shut down, wherein theanti-surge element has at least a first and a second anti-surgeoperating mode, which can be activated as an alternative to one another.

According to another aspect of the invention, there is provided a methodfor failsafe shutdown of an electric load, comprising the steps of:

receiving and evaluating an input-side switching signal,

shutting down the load as a function of the input-side switching signal,and

canceling voltage spikes by means of an anti-surge element when the loadis being shut down,

wherein the anti-surge element has at least a first and a secondanti-surge operating mode, which are activated as an alternative to oneanother.

Preferably, the anti-surge element is switched over from the first tothe second anti-surge operating mode when the load is being shut down.

The invention is thus based on the idea of designing the anti-surgeelement to be variable. This makes it possible to design the anti-surgeelement differently for different situations and requirements and tooptimize it in each case to the intended use. The anti-surge elementthus has different anti-surge operating modes, which can be activateddepending on the intended use and situation.

For a safety shutdown, the anti-surge element is preferably designedsuch that a decay of the current in the inductive load is achieved asrapid as possible. In this situation, the introduction of heat into thesafety switching device is of minor importance, since of primary concernhere is the rapid and safe shutdown of the load.

Since a safety shutdown occurs relatively rarely, the introduction ofheat is a small problem in this situation. However, this is not the casefor shutdown tests which are typically carried out on a regular basis.Since these shutdown tests occur regularly during operation of thesafety switching device and, in addition, there is no superordinatesafety purpose standing in the way, it is advantageous in this case forthe anti-surge element not primarily to be optimized in terms of anoptimum speed but in terms of as little introduction of heat aspossible.

The different aims can be achieved jointly by designing the anti-surgeelement for different anti-surge operating modes. Furthermore, ananti-surge element having different anti-surge operating modes can alsobe optimized more easily with respect to individual properties ofdifferent (inductive) loads.

In a preferred refinement of the invention, the anti-surge operatingmode can be set by the signal processing part.

This refinement has the advantage that the signal processing part hasfull control over the function of the anti-surge element, with theresult that, in the event of a safety shutdown triggered by the signalprocessing part, an optimally short decay time is ensured.

In a further refinement, the signal processing part has a firstoperating state, in which the load is switched on, and a secondoperating state for shutting down the load. The anti-surge element ispreferably in the first anti-surge operating mode during the firstoperating state and in the second anti-surge operating mode during thesecond operating state.

This refinement makes optimum use of the basic idea by changing theanti-surge operating mode, in particular in the case of a safetyshutdown. While the safety shutdown primarily serves the purpose ofswitching the connected load over to a non-hazardous state, theconnected load often remains largely unaffected by the internalfunctional sequences of the safety switching device during steady-stateoperation. Even if the at least one output-side switching element isbriefly opened for test purposes, the connected load often remainsuninfluenced owing to the sluggishness of the actuators. The change inthe anti-surge operating modes when the load is shut down makes itpossible to adapt in optimum fashion to the different layers of interestduring steady-state monitoring mode and in the event of a safetyshutdown.

In a further refinement, the signal processing part is designed, in itsfirst operating state, to switch the at least one switching element offin a pulsed manner.

This refinement continues what has been said before, since a change inthe anti-surge operating mode is particularly advantageous if adistinction is made between shutdown operations for test purposes and“real” safety shutdowns. Due to the different layers of interest, thechange in the anti-surge operating mode is in this case particularlyeffective.

In a further refinement, the anti-surge element has a low responsethreshold in the first anti-surge operating mode and a high responsethreshold in the second anti-surge operating mode.

In this refinement, the anti-surge element is in particular optimized interms of minimizing the introduction of heat into the safety switchingdevice during the shutdown tests, and, on the other hand, allowing arapid decay as possible of the current through the inductive load in theevent of a safety shutdown.

In a further refinement, an overvoltage protection element is arrangedin parallel with the switching element.

In addition to the various anti-surge operating modes, this refinementoffers improved protection of the output-side switching element andmakes possible a more rapid safety shutdown. For example, the anti-surgeelement in the second anti-surge operating mode can be optimized interms of the safety shutdown without taking into account the protectionof the output-side switching element.

In a further refinement, the overvoltage protection element has a thirdresponse threshold, which is higher than the low response threshold ofthe anti-surge element.

This measure uses the abovementioned concepts. Furthermore, it has theparticular advantage that the energy stored in inductive load is kept“outside” during the shutdown tests, i.e. is not converted intoresistive heat loss by means of the overvoltage protection element. Afurther advantage of this measure is the fact that the inductive loaddoes not need to be recharged, or only needs to be recharged to a smallextent, once the shutdown test has been completed, which makes it easierto carry out the shutdown tests.

In a further refinement, the anti-surge element comprises a switchablesemiconductor component, preferably a thyristor, as the anti-surgecomponent.

Switchable semiconductor components, and in particular thyristors, haveproven to be particularly effective at minimizing the introduction ofheat into the switching device when carrying out shutdown tests owing totheir low forward voltage in the on state.

In a further refinement, the switchable semiconductor component isintegrated in the safety switching device.

This refinement makes it easier to install the novel safety switchingdevice, since the anti-surge element does not need to be wired from theuser side in addition to the safety switching device. On the other hand,it is here possible to integrate the anti-surge element into the safetyswitching device without unduly increasing the thermal loading of thesafety switching device.

It goes without saying that the above-mentioned features, and those yetto be explained below, can be used not only in the combination specifiedin each case but also in other combinations or on their own, withoutleaving the scope of the present invention.

BRIEF DESCRIPTION OF THE FIGURES

Exemplary embodiments of the invention will be explained in more detailin the description below and are illustrated in the drawing, in which:

FIG. 1 shows a schematic block diagram of an exemplary embodiment of thenovel safety switching device,

FIG. 2 shows a preferred exemplary embodiment of an anti-surge elementin the novel safety switching device from FIG. 1,

FIG. 3 shows a simplified illustration of the signal profile at theoutput of the novel safety switching device shown in FIG. 1 withouttaking into account disconnection voltage spikes, and

FIG. 4 shows a simplified illustration of the magnitude signal profilewhen an inductive load is shut down.

DESCRIPTION OF PREFERRED EMBODIMENTS

In FIG. 1, an exemplary embodiment of a novel safety switching device isoverall given the reference numeral 10.

The safety switching device 10 has a signal processing part 12, which ishere illustrated in simplified form with two redundant microcontrollers14, 16. The two redundant microcontrollers 14, 16 monitor one another,as is indicated by an arrow 18. It goes without saying that each of thetwo microcontrollers 14, 16 has a suitable peripheral (memories,communication interfaces etc.), which is not illustrated here for sakeof simplicity. Furthermore, more than only two redundant channels mayalso be provided for the signal processing.

The safety switching device 10 has two redundant, output-side switchingelements 20, 22, which are illustrated here as electronic switchingelements (semiconductor components, in this case MOS transistors) inaccordance with a preferred embodiment. In the case of such switchingelements, the advantages of the present invention come to fruition in aparticularly effective manner, even if the invention is not restrictedto these switching elements. A protection element 24, 26 is connected inparallel with each switching element 20, 22. The protection elements 24,26 in this case bridge the source-drain path of the two switchingelements 20, 22 and are implemented here in each case in the form of twoopposing Zener diodes in accordance with a preferred exemplaryembodiment.

The output signals of the two switching elements 20, 22 are fed to twoexternally connected actuators 32, 34 via outputs 28, 30. The actuators32, 34 are in this case represented as contactors, whose respectiveworking contacts are arranged in series with one another. A three-phasepower supply 36 is connected to a drive 38, which acts as an example inthis case, via the working contacts of the contactors 32, 34. The drive38 may be, for example, an actuating drive for an automated robot or aconveyor belt. In further exemplary embodiments, the actuators 32, 34are solenoid valves, by means of which, for example, the workingmovement of a hydraulic press is controlled.

The safety switching device 10 also has two anti-surge elements 40, 42,with one respective element being connected to the switching element 20,22, in parallel with the corresponding output 28, 30. A preferredimplementation of the anti-surge elements 40, 42 will be explained inmore detail below with reference to FIG. 2. As is illustrated in FIG. 1,the anti-surge elements 40, 42 are in this case controlled and areswitched over in terms of their anti-surge operating modes by the signalprocessing part 12 (as will be explained further below).

On the input side, the safety switching device 10 picks up the signalsfrom one or more safety transmitters, which are in this caserepresented, by way of example, by a guard door sensor 44, a lightbarrier arrangement 46 and by an emergency stop button 48. This jointrepresentation of the safety transmitters is exemplary since, inpractice, safety switching devices are often especially designed for atype of safety transmitter. However, there are also safety switchingdevices, to which different types of safety transmitters can beconnected, as is illustrated here. It goes without saying that theinvention is not restricted to safety switching devices for the purposeof evaluating the safety transmitters shown here, but also includessafety switching devices for other types of signal sensors. Inparticular, a previous safety switching device may also function as thesignal sensor, such as is described, for example, in WO 01/67610 A1.

The invention is illustrated here using the example of a safetyswitching device 10, in which the signal processing part 12 and theswitching elements 20, 22 as well as the anti-surge elements 40, 42 arearranged in a common device housing 50. The safety switching device 10can thus be integrated as a compact module in an overall system, forexample by being mounted and wired in a switchgear cabinet. As hasalready been mentioned initially, the invention is not restricted tothis, however. As an alternative, the invention may also be used in acomplex safety controller, as is offered, for example, by the applicantunder the brand name PSS®, or in the case of a field bus-based systemhaving distributed switching elements.

In the description below of a preferred exemplary embodiment of theanti-surge element 40, same reference numerals are used for the sameelements as before.

FIG. 2 illustrates the anti-surge element 40 in a preferred circuitdesign. It contains a voltage divider comprising two resistors 60, 62,the free end of the resistor 60 being connected to the output of theswitching element 20, and the free end of the resistor 62 beingconnected to ground. A capacitance 64 and a protective diode 66, whichis arranged in the forward direction, are connected in parallel with theresistor 60. Furthermore, a thyristor 68 is arranged in parallel withthe voltage divider 60, 62, the control terminal of said thyristor 68being connected to the junction of the two resistors 60, 62. Thethyristor 68 thus obtains a control voltage which is determined by thedivider ratio of the voltage divider 60, 62.

Furthermore, the anti-surge element 40 has a series circuit comprising aresistor 70 and a switch, which is illustrated here in a first switchingposition 72 (open). The second (closed) switching position is indicatedat reference numeral 74. The series circuit comprising the resistor 70and the switch 72/74 is connected in parallel with the resistor 60. Thismeans that the divider ratio of the voltage divider 60, 62 and thus thetriggering voltage applied to the gate trigger terminal of the thyristor68 can be varied by means of the switch 72/74.

In FIG. 3, the output signal of the safety switching device 10 at theoutputs 28, 30 is illustrated in simplified form. With a slope 80, thevoltage at the outputs 28, 30 of the safety switching device 10 isswitched on. The contactors 32, 34 as a result have current flowingthrough them and close their working contacts. As a result, the drive 38is connected to the power supply 36 and starts up.

While the drive 38 is running (operating mode), the safety switchingdevice 10 monitors the sensor signals, which are applied to the input,from the safety transmitters 44, 46, 48. The signal processing part 12evaluates the input-side switching signals from the safety transmittersin a failsafe manner and possibly triggers a safety shutdown of thedrive 38, which is illustrated in FIG. 3 by a slope 82. For the safetyshutdown, the signal processing part 12 opens the switching elements 20,22, with the result that the voltage at the outputs 28, 30 drops offand, as a result, the working contacts of the contactors 32, 34 areopened. This causes the drive 38 to be isolated from the power supply36.

During the operating mode, which is also referred to as the firstoperating state in the following, the signal processing part 12 carriesout regular shut-down tests by opening the switching elements 20, 22briefly (in a pulsed manner) and closing them again. Two such shutdowntests are illustrated in the output signal in FIG. 3 at referencenumeral 84.

The shutdown pulses 84 are generally shorter than the release time ofthe contactors 32, 34, with the result that the drive 38 continues torun unimpeded despite the shutdown pulses 84. If possible, the shutdownpulses 84 may also be filtered out upstream of the contactors 32, 34 forundisturbed operation of the drive 38. The signal processing part 12 canmonitor the successful opening of the switching elements 20, 22 via areadback line (not illustrated here). The signal processing part 12 canthus ensure that the switching elements 20, 22 function in a reliablemanner for the case of a safety shutdown.

As is known to those skilled in the art in this field, the shutdown(even for a short period of time) of an inductive load results in avoltage spike, which is illustrated in simplified form in FIG. 4 in themagnitude profile (reference numeral 86). The reaction of such voltagespikes 86 on the outputs of the safety switching device 10 is broughtunder control by the anti-surge elements 40, 42.

The mode of operation of the anti-surge elements 40, 42 is as follows:in the operating mode, the voltage spike 86 is built up in the case of ashutdown pulse 84. This voltage spike 86 produces a triggering voltageat the trigger terminal of the thyristor 86 via voltage divider 60, 62.The dimensions of the voltage divider 60, 62 are selected such that theresponse threshold of the thyristor 68 is lower than the responsethreshold of the protective elements 24, 26. In FIG. 4, the two responsethresholds are illustrated by reference numerals 88 and 90. When theresponse threshold 88 is exceeded, the thyristor 68 is triggered andthus closes a discharge circuit via the contactor 32. Since thethyristor has a low forward voltage of approximately 1.4 volts, in thiscase only little heat is introduced into the safety switching device 10.

As soon as the switching element 20, 22 is closed again at the end ofthe shutdown test or if the extinction current through the contactor 32has decayed to a sufficient extent, the thyristor 68 switches over toits off state again. Here, the response threshold 88 of the thyristor 68is essentially determined by the divider ratio of the voltage divider60, 62.

If the signal processing part 12 would now like to trigger a safetyshutdown, it brings the anti-surge element 40, 42 into its secondanti-surge operating mode by actuating the switch 72/74. Owing to thedifferent divider ratio of the voltage divider, the thyristor 68 is nowtriggered only at a higher response threshold, which is indicated inFIG. 4 at reference numeral 92. The response threshold 92 in FIG. 4 ishigher than the response threshold 90 of the protective element 24, 26,i.e. in this case the protective element 24, 26 responds even before thethyristor 68. The response thresholds 90, 92 may, however, also beselected to be approximately equal or in the reverse sequence to that inFIG. 4. Owing to the flexible dimensioning of the response threshold 92for a safety shutdown, the demagnetization behavior of the contactors32, 34 can be set to an optimum speed in the operating modeindependently of thermal considerations. If possible, extinction of thevoltage spike 86 can be completely suppressed by the resistor 70 beingreplaced by a short circuit (R=0 ohm).

For sake of completeness, it should be mentioned that the capacitance 64serves the purpose of smoothing the voltage between the trigger terminaland the cathode of the thyristor, while the protective diode 66 protectsthe thyristor 68 against impermissibly high inverse voltages.

With the arrangement shown for the anti-surge element 40, 42, theintroduction of heat owing to shutdown tests on safety switching devicescould be reduced by the applicant from approximately 12 watts toapproximately 1 watt. This makes possible a more compact design of thesafety switching devices and also reduces the risk of thermally inducedfailures, i.e. the failsafety of the safety switching devices has beenincreased by the novel anti-surge elements 40, 42.

1. A safety switching device for failsafe shutdown of an electric load,the safety switching device comprising a signal processing part forreceiving and evaluating an input-side switching signal, at least oneswitching element adapted to provide an output-side switching signal forshutting down the load, the at least one switching element beingcontrolled by the signal processing part, and at least one anti-surgeelement for canceling voltage spikes when the load is shut down, whereinthe anti-surge element has at least a first and a second anti-surgeoperating mode, which can be activated as an alternative to one another.2. The safety switching device of claim 1, wherein the signal processingpart is configured to select between the first and the second anti-surgeoperating mode.
 3. The safety switching device of claim 1, wherein thesignal processing part has a first operating state, during which theload is switched on, and a second operating state for shutting down theload.
 4. The safety switching device of claim 3, wherein the anti-surgeelement is in the first anti-surge operating mode during the firstoperating state, and it is in the second anti-surge operating modeduring the second operating state.
 5. The safety switching device ofclaim 3, wherein the signal processing part is designed, in its firstoperating state, to switch off the at least one switching element in acontinuing pulsed manner.
 6. The safety switching device of claim 1,wherein the anti-surge element has a low response threshold in the firstanti-surge operating mode and a high response threshold in the secondanti-surge operating mode.
 7. The safety switching device of claim 1,further comprising an overvoltage protection element which is arrangedin parallel to the at least one switching element.
 8. The safetyswitching device of claim 7, wherein the anti-surge element has a lowresponse threshold in the first anti-surge operating mode and a highresponse threshold in the second anti-surge operating mode, and whereinthe overvoltage protection element has a third response threshold, whichis higher than the low response threshold of the anti-surge element. 9.The safety switching device of claim 1, wherein the anti-surge elementcomprises a switchable semiconductor component as an anti-surgecomponent.
 10. The safety switching device of claim 9, wherein theswitchable semiconductor component is a thyristor.
 11. The safetyswitching device of claim 9, wherein the switchable semiconductorcomponent is integrated in the safety switching device.
 12. The safetyswitching device of claim 1, wherein the at least one switching elementis a semiconductor switching element.
 13. A method for failsafe shutdownof an electric load, comprising the steps of: receiving and evaluatingan input-side switching signal, shutting down the load as a function ofthe input-side switching signal, and canceling voltage spikes by meansof an anti-surge element when the load is being shut down, wherein theanti-surge element has at least a first and a second anti-surgeoperating mode, which are activated as an alternative to one another.14. The method of claim 13, wherein the anti-surge element is switchedover from the first to the second anti-surge operating mode when theload is being shut down.